Tweet This

Encryption is a silent, unsung hero of our modern connected society . From protecting your sensitive details when you log on to Internet banking to protecting data on your laptop or mobile phone if it is lost or stolen, ‘crypto’ (the oft used shortened version of cryptography which includes the wonderful art and science of encrypting information) is a supporting pillar of the global economy and most of the digital world we all touch day to day. Establishing trust in crypto (and thus in technology as a whole), now more than ever with the revelations of the past 18 months, is difficult and the following news therefore potentially comes as a significant blow to online privacy and security. Or as some in the industry would put it, or is it?

Over the past 24 hours the website for TrueCrypt (a very widely used encryption solution) was updated with a rather unusually styled message stating that TrueCrypt is “considered harmful” and should not be used. If you have not come across TrueCrypt and why it has become so popular see the below section ‘why do people use TrueCrypt’. The announcement posted at truecrypt.sourceforge.net states:

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues… The development of TrueCrypt was ended in 5/2014 after
Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms… You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform”

On first inspection I was convinced this must be some kind of hoax, hijack or perhaps a hack given Sourceforge last week forced users through a password change process. There has been no announcement to suggest SourceForge was hacked and they have clearly stated it is to enhance their security procedures for storing passwords, perhaps learning from the mistakes of eBay. As you can see below the page looks somewhat basic and the announcement is widely regarded as rather abrupt (even to some of those involved in the project). Tempting though it is to think of this as a fake, there is far more evidence to support the fact that this is a genuine (albeit oddly styled) announcement and that the widely used open source encryption solution is no more. That said, caution is strongly advised as you will see below.

The announcement advocates users migrate from TrueCrypt to Microsoft BitLocker, but this change is far more than a recommendation and warning page. The source code and binaries (installers) for TrueCrypt on the site have been heavily modified. A quick review of the code shows it is littered with changes and comments such as the rather alarming “INSECURE_APP”. What's more, the installer on the website now offered for download has undergone some very significant changes. You can only decrypt data and no longer encrypt it (reinforced by a myriad of warning messages when you actually run the software). The binary is signed (a method of validating that the software was published by the authors and is not a trojan or modified version) in the usual way from the TrueCrypt developers adding to the argument that this is genuine. That said this certainly would not be the first time that attackers have stolen keys (the infamous Stuxnet, for example, abused code signing of another legitimate company). None of the TrueCrypt team have come forward to suggest that this is the case however.

If we assume this announcement is legitimate, offering users a back out strategy for all their encrypted data is a logical move, but nonetheless I very cautiously ran the new TrueCrypt in an environment I use for malicious code analysis. I also checked over the source code briefly for overt backdoors or other malware, but there is a significant volume of code and such things are not always trivial to spot. Jake Williams, SANS Instructor and Principle at Rendition InfoSec phrased this a little better than I, “I’ve long suspected that a government was behind TrueCrypt . The code base is hugely complicated with lots of dependencies and is anything but easy to build, particularly for the Windows version. It’s a great way to obfuscate what is in the binary packages (which 99.9% of Windows users use) that may or may not be in the source code”. To further make the point the older versions of the code have been removed forcing people to the new version. Despite my feeling that this is an odd but genuine announcement I would not recommend downloading this version and would wait for clarity on the motives, changes and back out strategy.

Why end it like this? Why end it at all?

TrueCrypt has been a popular solution for journalists and sources to securely communicate, a tool used widely by privacy advocates and a standalone solution that is popular with information security professionals, so why end it like this? Some have argued that this is just a rather dramatic Lavabit style termination. Others have eloquently suggested that they have come under political or legal coercion with some sort of ‘uber’ gag order to prevent them telling the full story. Some forums talk of this being a half hearted attempt to comply with an NSA request.This is certainly plausible given the abrupt nature and lack of extensive explanation, but others have suggested that the TrueCrypt team may have called it quits due to an in progress, crowd funded, crypto audit. The audit so far looked robust but they may have realised they were about to be outed. You can read more about this in my fellow contributor Runa Sandvik's blog. Another alternative, I suppose, is that the lead developers decided that they have had enough of being flamed from all sides and just gave up. The last theory is that there are genuine technical motives for this, as we will explore in more depth below.

Why do people use TrueCrypt? Is Open Source Crypto Important?

Crypto protects very important information from financial data, to PII and is a core component of security and privacy. We all use it whether we are ‘privacy aware’ or just picking up our mobile to check our e-mail. In this day and age of technical flaws like Heartbleed and nation states spying there is a great temptation to solutions like TrueCrypt where the code is available for anyone (with the right skills) to review. You can literally sift through the code and check for backdoors plus it has the major benefit of being free (and who doesn’t love free!). That said, as discussed earlier in the article many in the industry have been sceptical of TrueCrypt and it’s origins. Putting this aside, the case for open source vs commercial is not as clear cut as some would argue. As we learned with Heartbleed and OpenSSL the assumption of greater trust and robustness through transparency is not necessarily given. Lots of people use open source software and ‘assume’ that other smart people are validating quality and security so just use it without doing any validation of that fact, or the code themselves. Very quickly you can end up with a situation where lots of people are assuming others are checking, when in reality it is a very small community that actually does so.

I am not suggesting TrueCrypt is a victim of this like OpenSSL, but it is an interesting perception challenge with the security of open source. Unlike the majority of software the crypto space has been littered with standards and audit processes to allow crypto products to demonstrate that they do not have ulterior motives (money making aside) and have secure implementation. In the case of some commercial companies this process has gone awry, but broadly speaking this tends to keep things on the straight and narrow. There are many commercial solutions certified and trusted by consumers and governments side by side. Therefore, while I love open source software in this space commercial crypto isn’t the naturally flawed beast some would argue it to be .

What should you do?

Firstly, I would not encourage users to panic and freak out about their security being blown open. That said, I do think that a migration strategy is sound and the recommendation of Bitlocker is not a terrible one. Indeed, the EFF have for some time recommended Bitlocker (they go so far as to call it the gold standard) and it has been the subject of numerous audits and standard checks. I can also understand that life for TrueCrypt is becoming technically far harder with new operating systems and hardware. At Sophos [Disclosure: I work for Sophos] I worked close to the development team that maintained their pre-boot environment, shims and other mechanisms for hooking in to the OS. I can say first hand that this is an expensive, difficult and cumbersome thing to do whereas for Microsoft which owns the OS and the relationship it is a much easier task. Trying to “out Microsoft Microsoft” at hardware support, performance and compatibility is a tough gig and there are a wealth of new features in modern hardware and software that offer major trust enhancements that just ‘work’ with Bitlocker (TPM, UEFI, SecureBoot, Windows 8.1 etc). This is precisely why Sophos made the move to start managing BitLocker and other inbuilt encryption technologies like FileVault on Mac OS X rather than focusing on maintaining our own environment. The policy and management was the piece where more valuable could be added versus the actual encryption component. Encryption at the disk level has moved in to the infrastructure - OS and even below in to the disk. This does not invalidate the importance of encryption at the application, transport or data layer but full disk encryption has become more of a default capability. Therefore, I certainly can understand the TrueCrypt statement from a technical perspective.

In short, I wouldn’t panic but I would look at alternative implementations as suggested. Do note that the instructions provided vary in quality - the Windows ones make sense but other platforms are not very fool proof. For example the Linux instructions state “Search available installation packages for words encryption and crypt, install any of the packages found and follow its documentation.” which is not particularly helpful. Unfortunately BitLocker is also not available in every Windows version - only Ultimate or Enterprise in Windows 7 and Pro or Enterprise in Windows 8, which leaves the vast majority of consumers with lesser editions to seek alternative alternatives . One thing I can tell you for sure is that this topic divides security professionals and will stimulate a great deal of debate.

I will follow this article up shortly with a few short video clips of how to use alternatives (on Windows, Mac and Linux) and any updates on the legitimacy of the announcement. Until then TrueCrypt leaves a cloud of mystery, a great deal of speculation and I would advise TrueCrypt users to be cautious and to watch this space closely. Follow @jameslyne on
Twitter.